You can automatically generate profiles for specific users and groups by enabling group policies in a Group Policy Object for a domain, site, or organizational unit in an Active Directory forest or by specifying configuration settings on individual computers.
Rights required for this task
You must have an account with root permission to modify agent configuration files on managed computers or an administrative account with write permission to enable group policies on a Group Policy Object linked to a domain or organizational unit.
Who should perform this task
A Windows or UNIX administrator performs this task, depending on your organization’s policies. In most cases, a Windows administrator is responsible for configuring group policies and modifying Group Policy Objects. If your organization uses local configuration settings, the UNIX administrator is usually responsible for this task.
Steps for completing this task using group policies
In most cases, you should use group policies in a Group Policy Object to identify the Active Directory users and groups for which you want to automatically generate profiles. The Group Policy Object enables you to centrally manage access to computers in the Auto Zone. You can enable and configure the following group policies to specify a subset of Active Directory users and groups that should have access to computers in Auto Zone:
- Specify AD users allowed in Auto Zone
- Specify groups of AD users allowed in Auto Zone
- Specify AD groups allowed in Auto Zone
The following instructions illustrate how to limit the valid users and groups in the Auto Zone using these group policy settings.
Identify or create an Active Directory group that includes all of the users that you want to give access to Centrify-managed computers.
The group can be a domain local, global, or universal group. The group can include sub groups — members of these sub groups will also be included in Auto Zone.
- Open Group Policy Management to create or select a Group Policy Object that is linked to a site, domain, or organizational unit.
- Right-click the Group Policy Object, then select Edit to open Group Policy Management Editor.
Expand Computer Configuration > Policies > Centrify Settings > DirectControl Settings, click Adclient Settings.
- Double-click “Specify groups of AD users allowed in Auto Zone” to specify users by Active Directory group without automatically generating profiles for the groups themselves.
- Double-click Specify AD users allowed in Auto Zone to specify individual Active Directory users for which to automatically generate profile.
- Double-click Specify AD groups allowed in Auto Zone to specify individual Active Directory groups for which to automatically generate profile.
- Select Enabled, then click List to browse for the groups or users to include.
- Click Add, enter search criteria, then click Find Now.
- Select one or more groups or users from the list, then click OK.
Steps for completing this task using configuration parameters
In some cases, you might want to limit the Active Directory users and groups who have a profile generated by configuring parameters in the centrifydc.conf file on individual computers. For example, you might want to use configuration parameter settings if you don’t want to implement or apply group policies on certain computers.
You can configure the following configuration parameters to specify a subset of Active Directory users and groups that should have access to computers in Auto Zone:
The following instructions illustrate how to limit the valid users and groups in the Auto Zone using these configuration parameters settings.
- On a Windows computer, in Active Directory Users and Computers, identify or create a group or group that includes all the users who you want to have access to your Centrify‑managed computers.
On each computer to add to Auto Zone, open the /etc/centrifydc/centrifydc.conf configuration file.
- Find the auto.schema.allow.groups parameter and remove the comment (#) to add the names of groups separated by commas.
- Find auto.schema.allow.users and remove the comment (#) to add the names of users separated by commas.
- Find auto.schema.groups and remove the comment (#) to add the names of groups separated by commas.
The configuration file contains comments that list the valid formats for user and group names. For more information about setting these parameters or editing the configuration file, see theConfiguration and Tuning Reference Guide.
- Save and close the file.